Through compliance templates and data identifiers, Data Loss Prevention policies
allow companies to monitor the flow of sensitive information stored in cloud applications
and
services.
-
Define data identifiers and compliance templates for specific regulatory controls
-
Target specific user mailboxes, SharePoint sites, or cloud application users and groups
Configuring Data Loss Prevention
![]() |
NoteData Loss Prevention is not available in the inbound protection of Exchange
Online in inline mode.
|
Procedure
- Select Data Loss Prevention.
- Enable Data Loss Prevention.
- Select the scope of email messages that Data Loss Prevention applies to.
-
All messages: means that this policy applies to incoming, outgoing, and internal email messages. Incoming/outgoing email messages are sent from/to non-internal domains.
-
Incoming messages: means that this policy applies only to incoming email messages sent from non-internal domains.
-
Sent messages only: means that this policy applies only to email messages in the Sent Items folder.
-
- Optionally select Display violating content in logs with sensitive
data Masked/Unmasked.This provides flexibility for you to determine how sensitive data of your organization will be handled in Data Loss Prevention logs on Cloud App Security for privacy concerns.
-
If the check box is not selected, Cloud App Security does not record and display violating content, including the sensitive data that triggered a Data Loss Prevention violation, in the Violating Content column in Logs.
-
If Display violating content in logs with sensitive data Unmasked is selected, Cloud App Security records and displays violating content in the Violating Content column in Logs. The sensitive data that triggered a Data Loss Prevention violation is displayed without being masked.
Note
Violating content including the sensitive data to display does not exceed 300 characters. -
If Display violating content in logs with sensitive data Masked is selected, Cloud App Security records and displays violating content in the Violating Content column in Logs. The sensitive data that triggered a Data Loss Prevention violation is replaced with asterisks (*), except for the last four characters.
Note
If the sensitive data is no longer than four characters, it is displayed without being masked.
The default value is Display violating content in logs with sensitive data Unmasked.If this setting is changed, it applies only to subsequent violating content. The previous content is not affected. -
- (Exchange Online and Gmail only) Select one or multiple scan targets, which can
be the subject, body, and attachment of email messages.For Exchange Online, you can also select the email header as the scan target and specify a maximum of 10 header field names. When a header field of an email message exactly matches a specified value, the header field will be scanned based on the configured compliance rules.
- Configure Compliance Rule(s) settings.
- Add sensitivity labels and select the action.Optionally click Sync Labels to sync the latest sensitivity labels from Microsoft Information Protection.For details about the actions, see Actions available for different services.
Note
-
This feature is available for OneDrive, Microsoft Teams (Teams), Microsoft Teams (Chat), SharePoint Online, and Exchange Online (not including Exchange Online - Inline Mode).
-
Sensitivity label-based actions are available only after you have granted Cloud App Security access to Microsoft Information Protection.
-
- Add compliance templates, then select the action.You can also import compliance templates and edit or remove the existing templates.For details about the actions, see Actions available for different services.
- Add sensitivity labels and select the action.
- Click Show Advanced Options or Show Advanced
Settings for Files (for Salesforce) to configure advanced
settings for the actions.
Note
The settings are not available to Exchange Online, Microsoft Teams (Chat), and Gmail.- (Salesforce only) Select the Configure actions dedicated to
files check box to separately configure actions for
files.
Note
When this option is selected, for a file, Cloud App Security takes the action specified here instead of the policy-level action described in step 5. - (Salesforce only) Select Apply secondary action when file
quarantine fails and specify a secondary action if you
want to take a backup action when the quarantine action for a file
fails.
Note
This option can be configured only when the Quarantine action is selected.- If Configure actions dedicated to files is enabled with the Quarantine action selected, the secondary action applies when this Quarantine action fails.
- If Configure actions dedicated to files is not enabled, the secondary action applies when the policy-level Quarantine action (as described in step 5) for a file fails.
- If the Tag file name action is selected,
specify the tag to amend to the file name.
Note
The tag cannot exceed 20 characters or contain unsupported characters (/ \ : * ? < > " |). - If the Quarantine or
Delete action is selected, specify text to
replace the original file content when a file is quarantined or
deleted.
Note
This option is not available for Exchange Online, Exchange Online (Inline Mode), and Gmail. - If the Apply sensitivity label action is
selected, configure Sensitivity Labeling.
-
Select a Microsoft Information Protection sensitivity label from the drop-down list.
Note
The sensitivity labels are defined on the Microsoft 365 compliance center and automatically sync to Cloud App Security on a daily basis. If no sensitivity has been defined, you cannot specify the "Apply sensitivity label" action, and the policy cannot be saved. -
Optionally select Override the original sensitivity label.
Note
The original sensitivity label refers to the sensitivity label that users have applied when uploading, creating, synchronizing, or modifying files in Microsoft Teams, SharePoint Online, or OneDrive. If you do not select this option, the original sensitivity labels are still applied to the files. -
Optionally select Take a backup action when applying the sensitivity label fails and select an action from the drop-down list, which can be Pass, Delete, or Quarantine.
Note
This backup action is taken on files that violate the Data Loss Prevention policy if Cloud App Security fails to apply the specified sensitivity label to the files for reasons such as that the specified sensitivity label has been deleted on the Microsoft 365 compliance center, or that the file type is not supported. -
Optionally click Click here to synchronize the latest sensitivity labels from Microsoft.
-
- (Exchange Online - Inline Mode only) If the Change
recipient action is selected, configure
Change Recipient Action Settings.The Change recipient action intercepts emails and routes them to your specified recipients, allowing related personnel to have direct access to the emails violating a Data Loss Prevention policy.
-
Type an email address in your organization to redirect emails to.You can add up to 5 email addresses.
-
Type the disclaimer to inform the recipients why they receive this redirected email.You can use tokens in the message. Currently, the disclaimer only supports the token %policy_name%.
-
- (Salesforce only) Select the Configure actions dedicated to
files check box to separately configure actions for
files.
- Configure Notification
settings.
Option Description Notify administrator-
Specify the administrators to notify by selecting a recipient group or specifying individual recipients. You can click Manage recipient groups to edit the members in a group or add more groups.
-
Specify message details to notify administrators that Cloud App Security detected a security risk and took action on an email message, attachment, or file.
-
Set the notification threshold which limits the number of notification messages to send. Threshold settings include:
-
Send consolidated notifications periodically: Cloud App Security sends an email message that consolidates all the notifications for a period of time. Specify the period of time by typing a number in the box and selecting hour(s) or day(s).
-
Send consolidated notifications by occurrences: Cloud App Security sends an email message that consolidates notifications for a set number of filtering actions. Specify the number of virus/malware occurrences by typing a number in the box.
-
Send individual notifications: Cloud App Security sends an email message notification every time Cloud App Security performs a filtering action.
-
Notify UserExchange Online and Gmail: Specify message details that notify recipients that Cloud App Security detected a security risk and took action on their email message or attachment.SharePoint Online, OneDrive, Microsoft Teams (Teams), Box, Dropbox, and Google Drive: Specify message details that notify the user who updated a file that Cloud App Security detected a security risk and took action on their file.Salesforce: Specify message details that notify the user who updated a Salesforce object record that Cloud App Security detected a security risk and took action on the update.Teams Chat: Cloud App Security does not provide this option. When a chat message was blocked, a notification "This message was blocked." provided by Microsoft appears in the sender's private chat window. Message senders can click What can I do? to view more information about the blocked messages.Box:-
Optionally select the Allow the user to restore the quarantined file check box. This allows end users to restore a quarantined file violating a Data Loss Prevention policy.
-
The email message sent to the user will contain a link. Clicking the link opens a screen where the user can view the file information, select a reason for restoration, and submit the restoration request. The link is valid only for 24 hours.
-
The administrator can go to the Quarantine screen to query and view data about the files restored by end users and the reason for each restoration.
-
-
Optionally select the Do not notify external user check box. This allows the administrator to choose not to notify an end user of policy violation details if the user violating the policy does not belong to your organization.
Note
When specifying a notification message, include relevant tokens and edit the message content as desired. For details about tokens, see Token list. -
- Click Save.